diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 57537f3..d22d665 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -13,10 +16,10 @@ jobs:
       matrix:
         node-version: [20, 22, 24]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Bun
-        uses: oven-sh/setup-bun@v1
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version-file: .tool-versions
 
diff --git a/.github/workflows/cr.yml b/.github/workflows/cr.yml
index f6ac805..b264093 100644
--- a/.github/workflows/cr.yml
+++ b/.github/workflows/cr.yml
@@ -10,21 +10,28 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.number }} # Concurrency group for each PR
   cancel-in-progress: true # Cancel in progress builds for the same PR
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     if: github.repository == 'honojs/cli' && (github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'cr-tracked'))
     runs-on: ubuntu-latest
     name: 'Publish: pkg.pr.new'
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .tool-versions
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version-file: .tool-versions